The Vulnerability the Heartbleed OpenSSL Poses To Your Security

Introduction

One of the vulnerabilities in OpenSSL is a bug called Heartbleed. OpenSSL is a commonly used implementation of the TLS (Transport Layer Security) and SSL (Secure Sockets Layer) cryptography protocols. Heartbleed is an immediate threat to unpatched servers. It is a serious vulnerability that can allow secure communications to be intercepted by attackers who may steal sensitive information including personal data, login credentials, and decryption keys among other things.

Heartbeat

Also known as CVE-2014-0160(OpenSSL TLS ‘heartbeat’ Extension Information Disclosure Vulnerability), Heartbleed affects the Heartbeat component of OpenSSL. Since OpenSSL is open source, it is widely used by many individuals.

Heartbeat is the extension of TLS protocol that keeps the TLS session alive even when no communications have taken place for some time. It is a feature that verifies that the computers involved are still connected and still available for communications. Therefore, Heartbeat saves users the headache of having to re-enter credentials so that another secure connection can be established if the original connection is dropped.

Heartbeat works by sending a message to the OpenSSL server. The server relays the information back to the sender and in so doing the connection is verified. In the message are two components, a payload which is a packet of data of up to 64KB and information about the payload size.

Heartbleed Vulnerability

The Heartbleed vulnerability lets attackers spoof information about the payload size in OpenSSL. For instance, they could send 1KB payload but state that it’s 64KB. Thisis the key to the vulnerability.

The OpenSSL server does not attempt to verify whether message it receives is malformed or not. It will therefore not verify if the payload received is the size stated by the message. It just assumes that it is the correct size and, therefore, makes an attempt to send back a full 64KB even though it received just 1KB. The server thereby automatically pads out the payload size it sends back with data from the application’s memory. Therefore, it sends back 1KB payload data along with 63KB of data from the system memory. The extra 63KB data could be anything from login credentials, personal data, and encryption keys.

The data sent back is so random that there is no telling what the attacker gets back. It could be incomplete or useless data but if performed over and over again the attacker may eventually build a bigger more vivid picture of the data which may be of use to him or her.

Precautions

This is a vulnerability with OpenSSL library and not with the certificates or SSL/TLS. It is, therefore, advisable that one should upgrade to the latest OpenSSL that doesn’t have the heartbeat extension. In case you suspect your web server certificates have been stolen or otherwise compromised, get a replacement through the certificate authority. It is additionally prudent to reset the end-user passwords that may have been visible in the server memories that were compromised.

Standard online precautions such as avoiding dangerous websites and potential phishing emails should be enforced by consumers as well. Speaking to a computer specialist may help you determine whether your system has been compromised as well as the upgrades that you could make to secure your connections.

Be sure to check out part 1 and part 2 of an interesting article series.